Uly.me

cloud engineer

Archives for January 2021

Install OpenJDK 8

Here’s the installation instructions for OpenJDK 8.

For Fedora, Redhat and Oracle Linux.

yum install java-1.8.0-openjdk

For Debian and Ubuntu.

apt-get install openjdk-8-jre

To see if the packages (symbolic links) are there, they can be found in /etc/alternatives/, at least in Redhat 7.

ls -l /etc/alternatives/

Restart RPC GSSD Service

If a Linux user is having an access problem with a NFS share, and particularly with key expiration, then check if the RPC GSSD service is up and running. NFS clients uses the RPCSEC_GSS protocol to establish security credentials with a NFS server using Kerberos authentication.

Here’s an example of a key expire error due to a NFS client not authenticated properly.

df -h
df: '/data/dir1': Key has expired
df: '/data/dir2': Key has expired
df: '/data/dir3': Key has expired

Check if RPC GSSD service is healthy. Restart the service if there are credential errors.

service rpc-gssd status

Here’s one with an authentication issue.

[root@server ~]# service rpc-gssd status
Redirecting to /bin/systemctl status rpc-gssd.service
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Sun 2021-01-31 03:16:43 CST; 2h 14min ago
 Main PID: 710 (rpc.gssd)
   Memory: 1.6M
   CGroup: /system.slice/rpc-gssd.service
           └─710 /usr/sbin/rpc.gssd
 
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com

Restart the service.

service rpc-gssd stop
service rpc-gssd start

Here’s a service that’s healthy.

[root@server ~]# service rpc-gssd status
Redirecting to /bin/systemctl status rpc-gssd.service
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Sun 2021-01-31 05:33:54 CST; 28min ago
  Process: 9809 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
 Main PID: 9810 (rpc.gssd)
   Memory: 804.0K
   CGroup: /system.slice/rpc-gssd.service
           └─9810 /usr/sbin/rpc.gssd
 
Jan 31 05:33:54 server.domain.com systemd[1]: Starting RPC security service for NFS client and server...
Jan 31 05:33:54 server.domain.com systemd[1]: Started RPC security service for NFS client and server.

AWS EC2 List Firewall Rules

AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.

#!/bin/bash
# set variables
instanceid='i-xxxxxxxxxxxxxxxx'
region='us-east-1'
profile='sample'
# log and temp files
output="ec2-sg.log"
tmpfil="ec2-sg.tmp"
# empty log at start
> $output
# get sg ids
aws ec2 describe-instances \
--instance-ids $instanceid \
--region $region \
--profile $profile \
--query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil
while read -r id; do
  echo '============================================' >> $output
  echo $id >> $output
  echo '============================================' >> $output
  echo '---------------- INGRESS -------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
  echo '---------------- EGRESS --------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
done < $tmpfil

Here’s a sample output.

============================================
sg-xxxxxxxxxxxxxxx
============================================
---------------- INGRESS -------------------
5985    5985    tcp     10.0.0.220/32
10005   10005   tcp     10.0.0.164/32
---------------- EGRESS --------------------
80      80      tcp     10.0.0.14/32
40000   65535   udp     10.0.0.0/8
3389    3389    tcp     10.0.0.96/32
9389    9389    tcp     10.0.0.0/8
5985    5986    tcp     10.0.0.96/32

Adding Domains in Certbot

You can register multiple domains to a single SSL certificate. This is particularly useful if you are hosting multiple domains on one server. This command adds more domains to your existing certificate.

certbot --expand -d existing.com -d newdomain1.com -d newdomain2.com

Check if the domains were added.

certbot certificates

Certbot certificates are valid for 90 days, but they automatically renew themselves if expiration is less than 30 days. If you need to renew manually for some odd reason, you can run this command. You can also perform a dry-run before renewing.

certbot renew
certbot renew --dry-run

Using Or on Regular Expressions

Here’s a regex using the pipe symbol as OR to allow only 6 possible values. 

regex="efs-(00|04|08|12|16|20)00"

Matches:

efs-0000
efs-0400
efs-0800
efs-1200
efs-1600
efs-2000

No matches:

efs-0100
efs-2200
efs-0600
efs-1400
efs-1800
efs-1110
111022
asdb023
2330asd
1200-efs
1205
abc

$var is compared with $regex to find a match. $var is any of the variables above.

if [[ $var != $regex ]]; then
  echo "Not a match"
else
  echo "It's a match"
fi